diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-11-14 14:54:00 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2016-11-14 17:15:59 +0100 |
| commit | f595629011ab4fd5daeae4152c9fca8477136294 (patch) | |
| tree | 3ea9975311f3485a8debb95711782f193c50c886 | |
| parent | 4b2b878ddd08a6a56ed35b489d161da3cbc16b1f (diff) | |
| download | gnutls-f595629011ab4fd5daeae4152c9fca8477136294.tar.gz | |
PKCS#5,7 decryption: fail early on invalid block sizes
| -rw-r--r-- | lib/x509/pkcs7-crypt.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c index 2d2e170bfd..279ea1aed6 100644 --- a/lib/x509/pkcs7-crypt.c +++ b/lib/x509/pkcs7-crypt.c @@ -1008,6 +1008,8 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, int key_size; unsigned int pass_len = 0; const struct pkcs_cipher_schema_st *p; + unsigned block_size; + const cipher_entry_st *ce; if (password) pass_len = strlen(password); @@ -1073,6 +1075,15 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, goto error; } + ce = cipher_to_entry(enc_params->cipher); + block_size = _gnutls_cipher_get_block_size(ce); + + if (ce->type == CIPHER_BLOCK && (enc.size % block_size != 0)) { + gnutls_assert(); + result = GNUTLS_E_ILLEGAL_PARAMETER; + goto error; + } + /* do the decryption. */ dkey.data = key; @@ -1081,8 +1092,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, d_iv.data = (uint8_t *) enc_params->iv; d_iv.size = enc_params->iv_size; result = - _gnutls_cipher_init(&ch, cipher_to_entry(enc_params->cipher), - &dkey, &d_iv, 0); + _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0); gnutls_free(key); key = NULL; @@ -1102,7 +1112,7 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, decrypted_data->data = enc.data; - if (gnutls_cipher_get_block_size(enc_params->cipher) != 1) + if (block_size != 1) decrypted_data->size = enc.size - enc.data[enc.size - 1]; else decrypted_data->size = enc.size; |